SC-061v4 passed

Ballot SC061v4: New CRL Entries must have a Revocation Reason Code

Server Certificate Working Group

Key dates

Effective date: 15 Jul 2023 2 years ago
Voting opened: 15 Feb 2023 3 years ago
Voting closed: 22 Feb 2023 3 years ago
Discussion opened: 08 Feb 2023 3 years ago
Discussion closed: 15 Feb 2023 3 years ago

Resources

⎇ GitHub diff https://github.com/cabforum/servercert/compare/e87bc5fcf35f533e58899311e538e6ffe959102e https://github.com/cabforum/servercert/compare/e87bc5fcf35f533e58899311e538e6ffe959102e

AI Summary

Generated 2026-06-23 21:43 UTC

Ballot overview

Ballot SC061v4, New CRL Entries must have a Revocation Reason Code, modifies sections 4.9.1.1 and 7.2.2 of the Baseline Requirements.
The ballot is described as a Final Maintenance Guideline.
The stated purpose is to incorporate CRL reason codes that Mozilla adopted in section 6.1.1 of the Mozilla Root Store Policy.

Voting and adoption

Certificate Issuers: 24 votes total, 24 YES, 0 NO, 0 abstentions.
Certificate Consumers: 3 votes total, 3 YES, 0 NO, 0 abstentions.
The bylaws requirements were MET for issuer approval, consumer approval, one affirmative vote in each category, and quorum.
The ballot page says the ballot enters the IP Rights Review Period.

Requirement changes

For subscriber certificate revocations, the CA must revoke within 24 hours and use the corresponding CRLReason.
For certain revocation cases, the ballot assigns specific CRLReason values, including unspecified, privilegeWithdrawn, keyCompromise, superseded, and cessationOfOperation.
For some cases, the CA SHOULD revoke within 24 hours and MUST revoke within 5 days and use the corresponding CRLReason.
Section 7.2.2 is updated so that if a reasonCode CRL entry extension is present, the CRLReason must indicate the most appropriate reason for revocation of the Certificate.
For Subscriber Certificates revoked after July 15, 2023, CRLReason must be included in the reasonCode extension unless the reason is unspecified (0).
Revocation reason code entries for Subscriber Certificates revoked prior to July 15, 2023 do not need to be added or changed.
The ballot lists the CRLReasons that may be present in the reasonCode extension for Subscriber Certificates and adds guidance for subscriber notification, CA tools, and updates when key compromise is later verified.

Effective date and applicability

The redline shows the new Baseline Requirements version as 1.8.7 with an effective date of 15-Jul-2023.
The effective compliance date for the new CRL reason code requirement is July 15, 2023.
The July 15, 2023 date applies to Subscriber Certificates revoked after that date; earlier revocations are exempt from adding or changing revocation reason code entries.

Model: gpt-5.4-mini Confidence: 0.98 Result: passed

Effective date: 2023-07-15
Voting opened: 2023-02-15
Voting closed: 2023-02-22
Discussion opened: 2023-02-08
Discussion closed: 2023-02-15

Applicability and conditions

2023-07-15 — CRLReason must be included in the reasonCode extension of the CRL entry unless the reason is unspecified (0) Subscriber Certificates revoked after this date

2023-07-15 — Revocation reason code entries do not need to be added or changed Subscriber Certificates revoked prior to this date

AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.

Vote result

Certificate Issuers 24 yes 0 no 0 abstain

Certificate Consumers 3 yes 0 no 0 abstain

CABF ballot approval depends on both voting classes; CA votes alone are not decisive.

27 Yes

0 No

0 Abstain

100% yes · 0% no

Proposers

Ben Wilson of Mozilla and endorsed by David Kluge of Google Trust Services and Kiran Tummala of Microsoft.

Excerpt

SearchHome » All CA/Browser Forum Posts » Ballot SC061v4: New CRL Entries must have a Revocation Reason CodeBallot SC061v4: New CRL Entries must have a Revocation Reason CodeVoting Results Certificate Issuers 24 votes total, with no abstentions:

View on cabforum.org → Last fetched 16 hours ago